POLONIUM Detection: Hacker Group Abuses Microsoft OneDrive


A hacker group tagged POLONIUM has been observed abusing Microsoft OneDrive personal storage service to drop custom malicious implants and launch supply chain attacks. Adversaries had succeeded in targeting more than 20 Israeli organizations before they were uncovered. There is substantial evidence that the hackers behind the attacks were based in Lebanon and were supported by Iran’s Ministry of Intelligence and Security (MOIS).


To identify whether your system was breached and deter future POLONIUM-related activity, utilize the Sigma rules released by skillful threat hunting engineers from SOC Prime and Nattatorn Chuensangarun – a pro detection content author contributing to our Threat Bounty Program:

Suspicious Powershell Strings (via cmdline)

Possible POLONIUM Execution by Requests to Predictable OneDrive File Paths (via proxy)

The rules are aligned with the latest MITRE ATT&CK® framework v.10. addressing the Exfiltration, Command and Control, and Execution tactics with Exfiltration Over Web Service (T1567), Web Service (T1102), and Command and Scripting Interpreter (T1059) as the primary techniques.

Only the registered users can access the detection content published on the SOC Prime Platform. Hit the View in SOC Prime Platform button to access detection algorithms associated with Iranian cyber threat actors and other 185,000+ Sigma and YARA rules now – the registration to the Platform is a matter of a few clicks.

Press the Drill Down to Search Engine button to access the collection of the most on-demand Sigma rules, registration- and fee-free.

View in SOC Prime Platform Drill Down to Search Engine


Over the course of the last three months, a Lebanon-based threat actor dubbed POLONIUM launched attacks against Israeli organizations that operate in financial, critical manufacturing, health, transportation, IT, food and agriculture sectors. The malicious activity was detected by Microsoft. According to the report released on June 2, 2022, POLONIUM actors abused the OneDrive file hosting service for command and control (C&C) in their attacks, also deploying malicious implants CreepySnail and CreepyDrive.

The tech giant stressed that those attacks were not enabled by any security holes within the OneDrive platform – hackers simply signed up and used legitimate accounts to misuse the OneDrive cloud service. Also, according to Microsoft, there are no traces of adversaries storing their malware on OneDrive.

Microsoft researchers speculate that the initial access point could have been a flaw in Fortinet VPN appliances (most likely the four-year-old vulnerability tracked as CVE-2018-13379). The assumptions were made based on the victims’ profiles: the majority of targets (about 80%) were using Fortinet products.

The attacks were not linked to other Lebanon-based threat actors; however, research data suggest that POLONIUM activity can be attributed to the Iranian government.

The SOC Prime platform helps defend against tailored hacking solutions faster and more efficiently. Test the content streaming capabilities of the CCM module and help your organization empower daily SOC operations with our rich library of Sigma rules for cyber defenders. Never skip a beat operating in a fast-paced environment of cybersecurity risks and get the best mitigation solutions with SOC Prime.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts